Bank-Grade Security

OVERVIEW

‍

‍

ENCRYPTION

‍

Your connection to HelloSign is secure and encrypted using SSL (Secure Sockets Layer). This is the same level of encryption used by leading banks and government agencies. Your documents are also stored and encrypted at rest using AES - 256 bit encryption. Each one is encrypted with a unique key. As an additional safeguard, each key is encrypted with a regularly rotated master key. This means that even if someone were able to bypass the physical security (see below) and access a hard drive, they still wouldn't be able to decrypt your data.

‍

‍

‍

PHYSICAL SECURITY

‍

HelloSign is hosted in a state-of-the-art SAS70 Type II, SSAE 16 facility that has achieved ISO 27001 certification. Physical access is strictly controlled by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors.

‍

‍

‍

AUDIT TRAIL

‍

HelloSign creates a comprehensive transaction trail between signing parties. To provide you with a transaction history, we track and timestamp various information from the moment the document is submitted for signature to when it is completely signed and secured, such as IP address and UserAgent information. To ensure any tampering of your transaction log is detectable, we process the transactions log with hashing technology. Should you ever need to rely on a transaction log, we are right by your side to assist you. The Audit Trail that is appended to all executed Signature Requests includes an identifier that we can use to lookup the corresponding transaction log in our database. These records include a hash of the PDF document which we can compare to the hash of a questionable PDF document to determine whether or not it has been modified or tampered with.

‍

‍

‍

RELIABILITY

‍

The system used to store HelloSign documents is designed to achieve 'nine 9s' of durability, with data automatically replicated in multiple data centers.

‍

‍

‍

ACCESS

‍

If you would like to correct, amend or delete any information on the site, you can either change your personal preferences on the "Settings" page or email us at support@hellosign.com.

‍

‍

‍

CREDIT CARD INFORMATION

‍

HelloSign does not store your credit card information on its servers. When you submit your credit card information, we pass it along to our payments processor Stripe, a PCI Service Provider Level 1 service.

‍

‍

‍

LEGALITY

‍

HelloSign complies with the U.S. ESIGN Act, the Uniform Electronic Transactions Act (UETA), and the European Union eIDAS (EU No.910/2014) regarding electronic signatures and transmissions. Detailed audit trails include sender name, email address, timestamps, and IP addresses are appended to each signature request/response. For more information, visit HelloSign.

‍

‍

‍

RESPONSIBLE DISCLOSURE POLICY

‍

HelloSign runs a private bug bounty program to encourage security researchers to research and responsibly disclose vulnerabilities. If you believe that you have discovered a vulnerability, please report it to us at security@hellosign.com and we may choose to add you to our bug bounty program.